Modeling Data Protection and Privacy: Application and Experience with GDPR

Torre, Damiano; Alferez, Mauricio; Soltana, Ghanem; Sabetzadeh, Mehrdad; Briand, Lionel

doi:10.1007/s10270-021-00935-5

Download

Article (Scientific journals)

Modeling Data Protection and Privacy: Application and Experience with GDPR

Torre, Damiano; Alferez, Mauricio; Soltana, Ghanem et al.

2021 • In Software and Systems Modeling

Peer reviewed

Permalink
https://hdl.handle.net/10993/48170

DOI
10.1007/s10270-021-00935-5

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

Modeling_Data_Protection_and_Privacy__Application_and_Experiencewith_GDPR.pdf

Author preprint (1.2 MB)

Download

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

GDPR; regulatory compliance

Abstract :

[en] In Europe and indeed worldwide, the Gen- eral Data Protection Regulation (GDPR) provides pro- tection to individuals regarding their personal data in the face of new technological developments. GDPR is widely viewed as the benchmark for data protection and privacy regulations that harmonizes data privacy laws across Europe. Although the GDPR is highly ben- e cial to individuals, it presents signi cant challenges for organizations monitoring or storing personal infor- mation. Since there is currently no automated solution with broad industrial applicability, organizations have no choice but to carry out expensive manual audits to ensure GDPR compliance. In this paper, we present a complete GDPR UML model as a rst step towards de- signing automated methods for checking GDPR compli- ance. Given that the practical application of the GDPR is infuenced by national laws of the EU Member States,we suggest a two-tiered description of the GDPR, generic and specialized. In this paper, we provide (1) the GDPR conceptual model we developed with complete trace- ability from its classes to the GDPR, (2) a glossary to help understand the model, (3) the plain-English de- scription of 35 compliance rules derived from GDPR along with their encoding in OCL, and (4) the set of 20 variations points derived from GDPR to specialize the generic model. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it, and future directions for research.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)

Disciplines :

Computer science

Author, co-author :

Torre, Damiano ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

Alferez, Mauricio ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

Soltana, Ghanem ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Sabetzadeh, Mehrdad ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

Briand, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

External co-authors :

Language :

English

Title :

Modeling Data Protection and Privacy: Application and Experience with GDPR

Publication date :

2021

Journal title :

Software and Systems Modeling

ISSN :

1619-1374

Publisher :

Springer, Germany

Peer reviewed :

Peer reviewed

Focus Area :

Security, Reliability and Trust

Name of the research project :

IMOREF

Funders :

FNR - Fonds National de la Recherche [LU]

Available on ORBilu :

since 30 September 2021

Statistics

Number of views

198 (35 by Unilu)

Number of downloads

527 (28 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

WoS citations^™

Bibliography

Alpaydin, E.: Machine Learning: The New AI. MIT Press (2016)
Arora, C., Sabetzadeh, M., Briand, L.C., Zimmer, F.: Extracting domain models from natural-language requirements: Approach and industrial evaluation. In: Proceedings of the 19th IEEE/ACM International Conference on Model Driven Engineering Languages and Systems (MoDELS’16), pp. 250–260 (2016)
Ayala-Rivera, V., Pasquale, L.: The grace period has ended: An approach to operationalize GDPR requirements. In: Proceedings of 31st IEEE International Conference on Requirements Engineering (RE’18), pp. 136–146 (2018)
Brambilla, M., Cabot, J., Wimmer, M.: Model-Driven Software Engineering in Practice, 2nd edn. Morgan & Claypool Publishers (2016)
Breaux, T.: Exercising due diligence in legal requirements acquisition: A tool-supported, frame-based approach. In: Proceedings of 17th IEEE International Conference on Requirements Engineering (RE’09), pp. 225–230 (2009)
Burmeister, F., Drews, P., Schirmer, I.: A privacy-driven enterprise architecture meta-model for supporting compliance with the general data protection regulation. In: Bui, T. (ed.) 52nd Hawaii International Conference on System Sciences, HICSS 2019, Grand Wailea, Maui, Hawaii, USA, January 8–11, 2019, pp. 1–10. ScholarSpace (2019)
Cabot, J., Clarisó, R., Riera, D.: UMLtoCSP: A tool for the formal verification of UML/OCL models using constraint programming. In: Proceedings of the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE’07), pp. 547–548 (2007)
Caramujo, J., Rodrigues da Silva, A., Monfared, S., Ribeiro, A., Calado, P., Breaux, T.: RSL-IL4Privacy: A domain-specific language for the rigorous specification of privacy policies. Requir. Eng. 24(1), 1–26 (2019)
Chung, P.W., Cheung, L.Y., Machin, C.H.: Compliance flow—managing the compliance of dynamic and complex processes. Knowl. Syst. 21(4), 332–354 (2008) DOI: 10.1016/j.knosys.2007.11.002
Clements, P., Northrop, L.: Software Product Lines: Practices and Patterns. Addison-Wesley (2001)
Diamantopoulou, V., Angelopoulos, K., Pavlidis, M., Mouratidis, H.: A metamodel for gdpr-based privacy level agreements. In: Cabanillas, C., España, S., Farshidi, S. (eds.) Proceedings of the ER Forum 2017 and the ER 2017 Demo Track co-located with the 36th International Conference on Conceptual Modelling (ER 2017), Valencia, Spain, - November 6–9, 2017, CEUR Workshop Proceedings, vol. 1979, pp. 285–291. http://CEUR-WS.org (2017)
Emmerich, W., Finkelstein, A., Montangero, C., Antonelli, S., Armitage, S., Stevens, R.: Managing standards compliance. IEEE Trans. Softw. Eng. 25(6), 836–851 (1999) DOI: 10.1109/32.824413
EU-GDPR: EU GDPR portal (2019). https://eugdpr.org
European Union: The GDPR: New opportunities, new obligations. Justice and Consumers (2018)
European Union: General data protection regulation. Official Journal of the European Union (2018). http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
France, R., Rumpe, B.: Model-driven development of complex software: A research roadmap. In: Proceedings of 2007 Workshop on the Future of Software Engineering (FOSE ’07), pp. 37–54 (2007)
Ghanavati, S., Rifaut, A., Dubois, E., Amyot, D.: Goal-oriented compliance with multiple regulations. In: Proceedings of 22nd IEEE International Conference on Requirements Engineering (RE’14), pp. 73–82 (2014)
Guarda, P., Ranise, S., Siswantoro, H.: Security analysis and legal compliance checking for the design of privacy-friendly information systems. In: Proceedings o 22nd ACM on Symposium on Access Control Models and Technologies (SACMAT’17), pp. 247–254 (2017)
Hajri, I., Goknil, A., Briand, L.C., Stephany, T.: PUMConf: a tool to configure product specific use case and domain models in a product line. In: Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’16), pp. 1008–1012 (2016)
Hajri, I., Göknil, A., Briand, L.C., Stephany, T.: Configuring use case models in product families. Softw. Syst. Model. 17(3), 939–971 (2018) DOI: 10.1007/s10270-016-0539-8
Ingolfo, S., Siena, A., Mylopoulos, J.: Nòmos 3: Reasoning about regulatory compliance of requirements. In: Proceedings of 22nd IEEE International Requirements Engineering Conference (RE’14), pp. 313–314 (2014)
Manning, C.D., Schütze, H.: Foundations of Statistical Natural Language Processing. MIT Press (2001)
OMG: Object Constraint Language - Version 2.4 (2017). https://www.omg.org/spec/OCL/2.4/PDF
OMG: Unified Modeling Language - Superstructure Version 2.5.1 (2017). https://www.omg.org/spec/UML/2.5.1/PDF
Panesar-Walawege, R.K., Sabetzadeh, M., Briand, L.C.: Supporting the verification of compliance to safety standards via model-driven engineering: approach, tool-support and empirical validation. Inf. Softw. Technol. 55(5), 836–864 (2013) DOI: 10.1016/j.infsof.2012.11.009
Pullonen, P., Tom, J., Matulevicius, R., Toots, A.: Privacy-enhanced BPMN: enabling data privacy analysis in business processes models. Softw. Syst. Model. pp. 1–30 (2019)
Rabinia, A., Ghanavati, S., Humphreys, L., Hahmann, T.: A methodology for implementing the formal legal-grl framework: a research preview. In: Madhavji, N., Pasquale, L., Ferrari, A., Gnesi, S. (eds.) Requirements Engineering: Foundation for Software Quality, pp. 124–131. Springer International Publishing, Cham (2020) DOI: 10.1007/978-3-030-44429-7_9
Ranise, S., Siswantoro, H.: Automated legal compliance checking by security policy analysis. In: Computer Safety, Reliability, and Security (SAFECOMP’17 Workshops), pp. 361–372 (2017)
Sannier, N., Adedjouma, M., Sabetzadeh, M., Briand, L.C.: An automated framework for detection and resolution of cross references in legal texts. Requir. Eng. 22(2), 215–237 (2017) DOI: 10.1007/s00766-015-0241-3
Shum, S.B., Hammond, N.: Argumentation-based design rationale: what use at what cost? Int. J. Hum.-Comput. Stud. 40(4), 603–652 (1994) DOI: 10.1006/ijhc.1994.1029
Sing, E.: A meta-model driven method for establishing business process compliance to gdpr. Master’s thesis, University of Tartu (2019)
Sleimi, A., Sannier, N., Sabetzadeh, M., Briand, L.C., Dann, J.: Automated extraction of semantic legal metadata using natural language processing. In: Proceedings of 26th IEEE International Requirements Engineering Conference (RE’18), pp. 124–135 (2018)
Soltana, G., Fourneret, E., Adedjouma, M., Sabetzadeh, M., Briand, L.C.: Using UML for modeling procedural legal rules: Approach and a study of luxembourg’s tax law. In: Dingel, J., Schulte, W., Ramos, I., Abrahão, E. Insfrán (eds.) Model-Driven Engineering Languages and Systems - 17th International Conference, MODELS 2014, Valencia, Spain, September 28 - October 3, 2014. Proceedings, Lecture Notes in Computer Science, vol. 8767, pp. 450–466. Springer (2014)
Soltana, G., Sabetzadeh, M., Briand, L.C.: Practical model-driven data generation for system testing. arXiv preprint (arXiv:1902.00397) (2019). https://arxiv.org/pdf/1902.00397.pdf
Soltana, G., Sannier, N., Sabetzadeh, M., Briand, L.C.: Model-based simulation of legal policies: framework, tool support, and validation. Softw. Syst. Model. 17(3), 851–883 (2018) DOI: 10.1007/s10270-016-0542-0
Tankard, C.: What the GDPR means for businesses. Netw. Secur. 6, 5–8 (2016) DOI: 10.1016/S1353-4858(16)30056-3
Tom, J., Sing, E., Matulevičius, R.: Conceptual representation of the GDPR: model and application directions. In: Perspectives in Business Informatics Research, pp. 18–28 (2018)
Torre, D., Abualhaija, S., Sabetzadeh, M., Briand, L.C., Baetens, K., Goes, P., Forastie, S.: An AI-assisted approach for checking the completeness of privacy policies against GDPR. In: Proceedings of 28th IEEE International Conference on Requirements Engineering (RE’20) (2020)
Torre, D., Alferez, M., Soltana, G., Sabetzadeh, M., Briand, L.: Model Driven Engineering for Data Protection and Privacy: Application and Experience with GDPR - Appendix (2021). https://doi.org/10.5281/zenodo.4564856
Torre, D., Labiche, Y., Genero, M., Elaasar, M.: A systematic identification of consistency rules for UML diagrams. J. Syst. Softw. 144, 121–142 (2018) DOI: 10.1016/j.jss.2018.06.029
Torre, D., Soltana, G., Sabetzadeh, M., Briand, L.C., Auffinger, Y., Goes, P.: Using models to enable compliance checking against the GDPR: an experience report. In: 22nd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS 2019, Munich, Germany, September 15-20, 2019, pp. 1–11 (2019)
van Lamsweerde, A.: Requirements Engineering - From System Goals to UML Models to Software Specifications. Wiley (2009)
Zeni, N., Kiyavitskaya, N., Mich, L., Cordy, J.R., Mylopoulos, J.: GaiusT: supporting the extraction of rights and obligations for regulatory compliance. Requir. Eng. 20(1), 1–22 (2015) DOI: 10.1007/s00766-013-0181-8